Group Policy not applying

[Guest Shin.Lail@googlemail.com]

I've just installed a new DC and a new TS. I created a new OU for the

TS and created a GPO. I set the GPO to use loopback and made some

changes to the user settings. I can log in ok but the user settings

are not being applied.

 

Notes;

Auth Users have read and apply set

Admins have Deny

A sec group has got access to the TS. I have added relevant users to

it.

 

It's a fresh install but I can't see a reason why it is not working.

Any assistance is much appreciated.

[Guest Vera Noest [MVP]]

Re: Group Policy not applying

 

Did you run the "gpupdate" command on the server?

 

The tool to use when policies aren't applied as you expect them to

be is Resultant Set of Policies (RSoP).

Also check the EventLog on the server and enable verbose logging of

the user environment.

 

250842 - Troubleshooting Group Policy Application Problems

http://support.microsoft.com/?kbid=250842

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

Shin.Lail@googlemail.com wrote on 08 okt 2007 in

microsoft.public.windows.terminal_services:

> I've just installed a new DC and a new TS. I created a new OU

> for the TS and created a GPO. I set the GPO to use loopback and

> made some changes to the user settings. I can log in ok but the

> user settings are not being applied.

>

> Notes;

> Auth Users have read and apply set

> Admins have Deny

> A sec group has got access to the TS. I have added relevant

> users to it.

>

> It's a fresh install but I can't see a reason why it is not

> working. Any assistance is much appreciated.

[Guest TP]

Re: Group Policy not applying

 

Hi,

 

Add a Deny Apply Group Policy for Domain Admins

Remove the Deny entry for Administrators

Run gpupdate /force on your TS

 

You can use gpresult.exe on your TS to troubleshoot.

 

-TP

 

Shin.Lail@googlemail.com wrote:

> I've just installed a new DC and a new TS. I created a new OU for the

> TS and created a GPO. I set the GPO to use loopback and made some

> changes to the user settings. I can log in ok but the user settings

> are not being applied.

>

> Notes;

> Auth Users have read and apply set

> Admins have Deny

> A sec group has got access to the TS. I have added relevant users to

> it.

>

> It's a fresh install but I can't see a reason why it is not working.

> Any assistance is much appreciated.

[Guest Shin.Lail@googlemail.com]

Re: Group Policy not applying

 

On 8 Oct, 20:54, "TP" <tperson.knowsp...@mailandnews.com> wrote:

> Hi,

>

> Add a Deny Apply Group Policy for Domain Admins

> Remove the Deny entry for Administrators

> Run gpupdate /force on your TS

>

> You can use gpresult.exe on your TS to troubleshoot.

>

> -TP

>

>

>

 

Thanks for the quick reply folks.

 

I have run gpupdate and even rebooted the servers. In fact I have even

removed the GPO and re added it, as well as removing the TS from the

domain and then rejoining it. The Event Log doesn't show any errors. I

will go through the MS document, tomorrow - I'm in the UK and it's

evening.

 

It appears to be running the DDP but since I have loopback I wouldn't

expect it to. I have even tried taking the loopback out and put the

block inheritance on but it still didn't apply the User settings. If I

place the user in the OU with the TS it works fine but this is not

practical as I've got users who log in locally and remotely.

 

Excuse my ignorance but I don't see how changing the Deny to Domain

admins will help. The users have not got Admin or domain admin rights.

If you think it will help I'll give it a go.

 

My GPresult details are

 

OS Type: Microsoft® Windows® Server 2003,

Standard Edition

OS Configuration: Member Server

OS Version: 5.2.3790

Terminal Server Mode: Application Server

Site Name: N/A

Roaming Profile:

Local Profile: C:\Documents and Settings\shin

Connected over a slow link?: No

 

 

USER SETTINGS

--------------

CN=Shin,OU=Classics Users,OU=All Users,DC=vogue,DC=local

Last time Group Policy was applied: 08/10/2007 at 12:32:58

Group Policy was applied from: 2k3server.vogue.local

Group Policy slow link threshold: 500 kbps

Domain Name: VOGUE

Domain Type: Windows 2000

 

Applied Group Policy Objects

-----------------------------

Default Domain Policy

 

The following GPOs were not applied because they were filtered out

 

-------------------------------------------------------------------

Local Group Policy

Filtering: Not Applied (Empty)

 

The user is a part of the following security groups

---------------------------------------------------

Domain Users

Everyone

BUILTIN\Users

REMOTE INTERACTIVE LOGON

NT AUTHORITY\INTERACTIVE

NT AUTHORITY\Authenticated Users

This Organization

LOCAL

Terminal Server Users

 

If this information lets you know where I'm going wrong. Please feel

free to point out my numptyness.

 

Thanks again,

Shinder

[Guest Shin.Lail@googlemail.com]

Re: Group Policy not applying

 

>

> It appears to be running the DDP but since I have loopback I wouldn't

> expect it to. I have even tried taking the loopback out and put the

> block inheritance on but it still didn't apply the User settings.

 

Just realised what I wrote. Taking the loopback out will stop it

applying the User settings. Doh! It was late in the evening when I

tried that and I was tired :-)

[Guest TP]

Re: Group Policy not applying

 

Hi Shinder,

 

Loopback processing mode is a *computer* configuration

policy setting. In order for it to be applied the TS server's

computer account must have Read and Apply Group Policy

rights to the GPO. You added a Deny entry for Administrators

which blocked the computer account since it is a member

of Administrators.

 

-TP

 

Shin.Lail@googlemail.com wrote:

> Thanks for the quick reply folks.

>

> I have run gpupdate and even rebooted the servers. In fact I have even

> removed the GPO and re added it, as well as removing the TS from the

> domain and then rejoining it. The Event Log doesn't show any errors. I

> will go through the MS document, tomorrow - I'm in the UK and it's

> evening.

>

> It appears to be running the DDP but since I have loopback I wouldn't

> expect it to. I have even tried taking the loopback out and put the

> block inheritance on but it still didn't apply the User settings. If I

> place the user in the OU with the TS it works fine but this is not

> practical as I've got users who log in locally and remotely.

>

> Excuse my ignorance but I don't see how changing the Deny to Domain

> admins will help. The users have not got Admin or domain admin rights.

> If you think it will help I'll give it a go.

>

> My GPresult details are

>

> OS Type: Microsoft® Windows® Server 2003,

> Standard Edition

> OS Configuration: Member Server

> OS Version: 5.2.3790

> Terminal Server Mode: Application Server

> Site Name: N/A

> Roaming Profile:

> Local Profile: C:\Documents and Settings\shin

> Connected over a slow link?: No

>

>

> USER SETTINGS

> --------------

> CN=Shin,OU=Classics Users,OU=All Users,DC=vogue,DC=local

> Last time Group Policy was applied: 08/10/2007 at 12:32:58

> Group Policy was applied from: 2k3server.vogue.local

> Group Policy slow link threshold: 500 kbps

> Domain Name: VOGUE

> Domain Type: Windows 2000

>

> Applied Group Policy Objects

> -----------------------------

> Default Domain Policy

>

> The following GPOs were not applied because they were filtered out

>

> -------------------------------------------------------------------

> Local Group Policy

> Filtering: Not Applied (Empty)

>

> The user is a part of the following security groups

> ---------------------------------------------------

> Domain Users

> Everyone

> BUILTIN\Users

> REMOTE INTERACTIVE LOGON

> NT AUTHORITY\INTERACTIVE

> NT AUTHORITY\Authenticated Users

> This Organization

> LOCAL

> Terminal Server Users

>

> If this information lets you know where I'm going wrong. Please feel

> free to point out my numptyness.

>

> Thanks again,

> Shinder

[Guest Shin.Lail@googlemail.com]

Re: Group Policy not applying

 

On 8 Oct, 22:31, "TP" <tperson.knowsp...@mailandnews.com> wrote:

> Hi Shinder,

>

> Loopback processing mode is a *computer* configuration

> policy setting. In order for it to be applied the TS server's

> computer account must have Read and Apply Group Policy

> rights to the GPO. You added a Deny entry for Administrators

> which blocked the computer account since it is a member

> of Administrators.

>

> -TP

>

Hi TP,

 

I had added the computer account with read and apply but the admin

deny setting was taking precedence. I took it out and added Deny to

Domain Admins - As you first suggested - and it worked!

 

Thank you very much for your help and apologies for questioning your

first answer. I bow to your superior knowledge.

 

Shinder

[Guest TP]

Re: Group Policy not applying

 

Hello Shinder,

 

You are welcome!

 

I appreciate the fact that you posted back with your results.

This helps us provide better suggestions in the future as

well as helps others who are searching for possible solutions.

 

Note: The computer account is a member of Authenticated

Users so you should not need to add it to the the GPO's

DACL.

 

-TP

[Guest GW]

Re: Group Policy not applying

 

I have applied GPO's for many TS farms. I would suugest the following.

Create a OU for your GPO, Create a OU for your TS Servers ( computer account

) link the GPO to the TS OU . Users or Groups are added to the Security tab

of the GPO.

 

"TP" wrote:

> Hello Shinder,

>

> You are welcome!

>

> I appreciate the fact that you posted back with your results.

> This helps us provide better suggestions in the future as

> well as helps others who are searching for possible solutions.

>

> Note: The computer account is a member of Authenticated

> Users so you should not need to add it to the the GPO's

> DACL.

>

> -TP

>